Hello,
i try to setup a linux laptop for homeoffice with login for ad users.
The last few days it work like expected.
today wbinfo -u return no user, getent passwd <username> also.
wbinfo -a "SAMDOM\user"
Enter SAMDOM\user's password:
plaintext password authentication succeeded
Enter SAMDOM\user's password:
challenge/response password authentication succeeded
wbinfo -D SAMDOM also works.
laptop smb.conf:
[global]
security = ADS
workgroup = SAMDOM
realm = SAMDOM.EXAMPLE.COM
log file = /var/log/samba/%m.log
log level = 1
winbind refresh tickets = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind use default domain = yes
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use an read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
idmap config * : range = 1000-2000
# idmap config for the SAMDOM domain
# alf has uid 1006
idmap config SAMDOM:backend = ad
idmap config SAMDOM:schema_mode = rfc2307
idmap config SAMDOM:range = 2001-999999
template homedir = /home/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
restrict anonymous = 2
# fix dfs error's in log ?
host msdfs = no
# https://wiki.samba.org/index.php/PAM_Offline_Authentication
winbind offline logon = yes
winbind cache time = 15768000
winbind enum users = yes
winbind enum groups = yes
cat /etc/krb5.conf
[libdefaults]
default_realm = SAMDOM.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
Just thing i notised.> idmap config * : range = 1000-2000This might give conflicts. Output of `cat /etc/adduser.conf |grep "[G-U]ID" ` These ranges should not overlap. After how may days/hours did it stop working? Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > basti via samba > Verzonden: vrijdag 10 juli 2020 12:10 > Aan: samba at lists.samba.org > Onderwerp: [Samba] wbinfo -u / getent passwd not working > > Hello, > i try to setup a linux laptop for homeoffice with login for ad users. > The last few days it work like expected. > > today wbinfo -u return no user, getent passwd <username> also. > > wbinfo -a "SAMDOM\user" > Enter SAMDOM\user's password: > plaintext password authentication succeeded > Enter SAMDOM\user's password: > challenge/response password authentication succeeded > > wbinfo -D SAMDOM also works. > > laptop smb.conf: > > [global] > security = ADS > workgroup = SAMDOM > realm = SAMDOM.EXAMPLE.COM > > log file = /var/log/samba/%m.log > log level = 1 > > winbind refresh tickets = Yes > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > winbind use default domain = yes > > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > # Default ID mapping configuration for local BUILTIN accounts > # and groups on a domain member. The default (*) domain: > # - must not overlap with any domain ID mapping configuration! > # - must use an read-write-enabled back end, such as tdb. > idmap config * : backend = tdb > idmap config * : range = 1000-2000 > > # idmap config for the SAMDOM domain > # alf has uid 1006 > idmap config SAMDOM:backend = ad > idmap config SAMDOM:schema_mode = rfc2307 > idmap config SAMDOM:range = 2001-999999 > > template homedir = /home/%U > template shell = /bin/bash > > client use spnego = yes > client ntlmv2 auth = yes > encrypt passwords = yes > restrict anonymous = 2 > > # fix dfs error's in log ? > host msdfs = no > > # https://wiki.samba.org/index.php/PAM_Offline_Authentication > winbind offline logon = yes > winbind cache time = 15768000 > > winbind enum users = yes > winbind enum groups = yes > > cat /etc/krb5.conf > [libdefaults] > default_realm = SAMDOM.EXAMPLE.COM > dns_lookup_realm = false > dns_lookup_kdc = true > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On 10/07/2020 11:10, basti via samba wrote:> Hello, > i try to setup a linux laptop for homeoffice with login for ad users. > The last few days it work like expected. > > today wbinfo -u return no user, getent passwd <username> also. > > wbinfo -a "SAMDOM\user" > Enter SAMDOM\user's password: > plaintext password authentication succeeded > Enter SAMDOM\user's password: > challenge/response password authentication succeeded > > wbinfo -D SAMDOM also works. > > laptop smb.conf: > > [global] > security = ADS > workgroup = SAMDOM > realm = SAMDOM.EXAMPLE.COM > > log file = /var/log/samba/%m.log > log level = 1 > > winbind refresh tickets = Yes > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > winbind use default domain = yes > > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > # Default ID mapping configuration for local BUILTIN accounts > # and groups on a domain member. The default (*) domain: > # - must not overlap with any domain ID mapping configuration! > # - must use an read-write-enabled back end, such as tdb. > idmap config * : backend = tdb > idmap config * : range = 1000-2000 > > # idmap config for the SAMDOM domain > # alf has uid 1006 > idmap config SAMDOM:backend = ad > idmap config SAMDOM:schema_mode = rfc2307 > idmap config SAMDOM:range = 2001-999999 > > template homedir = /home/%U > template shell = /bin/bash > > client use spnego = yes > client ntlmv2 auth = yes > encrypt passwords = yes > restrict anonymous = 2 > > # fix dfs error's in log ? > host msdfs = no > > # https://wiki.samba.org/index.php/PAM_Offline_Authentication > winbind offline logon = yes > winbind cache time = 15768000 > > winbind enum users = yes > winbind enum groups = yes > > cat /etc/krb5.conf > [libdefaults] > default_realm = SAMDOM.EXAMPLE.COM > dns_lookup_realm = false > dns_lookup_kdc = true > >What OS and version is this ? What Samba version ? Why are you using such low ID numbers, is your domain a classicupgraded one ? Rowland
On 10.07.20 12:18, L.P.H. van Belle via samba wrote:> Just thing i notised. > >> idmap config * : range = 1000-2000 > This might give conflicts. > Output of `cat /etc/adduser.conf |grep "[G-U]ID" ` > These ranges should not overlap.I think that should not be the problem, i have multiple servers, with the samba config that works. and only 1 or 2 local users.> > After how may days/hours did it stop working?I would say 2 days? I do not understand why wbinfo -g work but wbinfo -u do not.> > > Greetz, > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> basti via samba >> Verzonden: vrijdag 10 juli 2020 12:10 >> Aan: samba at lists.samba.org >> Onderwerp: [Samba] wbinfo -u / getent passwd not working >> >> Hello, >> i try to setup a linux laptop for homeoffice with login for ad users. >> The last few days it work like expected. >> >> today wbinfo -u return no user, getent passwd <username> also. >> >> wbinfo -a "SAMDOM\user" >> Enter SAMDOM\user's password: >> plaintext password authentication succeeded >> Enter SAMDOM\user's password: >> challenge/response password authentication succeeded >> >> wbinfo -D SAMDOM also works. >> >> laptop smb.conf: >> >> [global] >> security = ADS >> workgroup = SAMDOM >> realm = SAMDOM.EXAMPLE.COM >> >> log file = /var/log/samba/%m.log >> log level = 1 >> >> winbind refresh tickets = Yes >> dedicated keytab file = /etc/krb5.keytab >> kerberos method = secrets and keytab >> winbind use default domain = yes >> >> load printers = no >> printing = bsd >> printcap name = /dev/null >> disable spoolss = yes >> >> # Default ID mapping configuration for local BUILTIN accounts >> # and groups on a domain member. The default (*) domain: >> # - must not overlap with any domain ID mapping configuration! >> # - must use an read-write-enabled back end, such as tdb. >> idmap config * : backend = tdb >> idmap config * : range = 1000-2000 >> >> # idmap config for the SAMDOM domain >> # alf has uid 1006 >> idmap config SAMDOM:backend = ad >> idmap config SAMDOM:schema_mode = rfc2307 >> idmap config SAMDOM:range = 2001-999999 >> >> template homedir = /home/%U >> template shell = /bin/bash >> >> client use spnego = yes >> client ntlmv2 auth = yes >> encrypt passwords = yes >> restrict anonymous = 2 >> >> # fix dfs error's in log ? >> host msdfs = no >> >> # https://wiki.samba.org/index.php/PAM_Offline_Authentication >> winbind offline logon = yes >> winbind cache time = 15768000 >> >> winbind enum users = yes >> winbind enum groups = yes >> >> cat /etc/krb5.conf >> [libdefaults] >> default_realm = SAMDOM.EXAMPLE.COM >> dns_lookup_realm = false >> dns_lookup_kdc = true >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> > >
On 10.07.20 12:25, Rowland penny via samba wrote:> On 10/07/2020 11:10, basti via samba wrote: >> Hello, >> i try to setup a linux laptop for homeoffice with login for ad users. >> The last few days it work like expected. >> >> today wbinfo -u return no user, getent passwd <username> also. >> >> wbinfo -a "SAMDOM\user" >> Enter SAMDOM\user's password: >> plaintext password authentication succeeded >> Enter SAMDOM\user's password: >> challenge/response password authentication succeeded >> >> wbinfo -D SAMDOM also works. >> >> laptop smb.conf: >> >> [global] >> ??????? security = ADS >> ??????? workgroup = SAMDOM >> ??????? realm = SAMDOM.EXAMPLE.COM >> >> ??????? log file = /var/log/samba/%m.log >> ??????? log level = 1 >> >> ??????? winbind refresh tickets = Yes >> ??????? dedicated keytab file = /etc/krb5.keytab >> ??????? kerberos method = secrets and keytab >> ??????? winbind use default domain = yes >> >> ??????? load printers = no >> ??????? printing = bsd >> ??????? printcap name = /dev/null >> ??????? disable spoolss = yes >> >> ??????? # Default ID mapping configuration for local BUILTIN accounts >> ??????? # and groups on a domain member. The default (*) domain: >> ??????? # - must not overlap with any domain ID mapping configuration! >> ??????? # - must use an read-write-enabled back end, such as tdb. >> ??????? idmap config * : backend = tdb >> ??????? idmap config * : range = 1000-2000 >> >> ??????? # idmap config for the SAMDOM domain >> ??????? # alf has uid 1006 >> ??????? idmap config SAMDOM:backend = ad >> ??????? idmap config SAMDOM:schema_mode = rfc2307 >> ??????? idmap config SAMDOM:range = 2001-999999 >> >> ??????? template homedir = /home/%U >> ??????? template shell = /bin/bash >> >> ??????? client use spnego = yes >> ??????? client ntlmv2 auth = yes >> ??????? encrypt passwords = yes >> ??????? restrict anonymous = 2 >> >> ??????? # fix dfs error's in log ? >> ??????? host msdfs = no >> >> ??????? # https://wiki.samba.org/index.php/PAM_Offline_Authentication >> ??????? winbind offline logon = yes >> ??????? winbind cache time = 15768000 >> >> ??????? winbind enum users = yes >> ??????? winbind enum groups = yes >> >> cat /etc/krb5.conf >> [libdefaults] >> ???? default_realm = SAMDOM.EXAMPLE.COM >> ???? dns_lookup_realm = false >> ???? dns_lookup_kdc = true >> >> > What OS and version is this ?debian 10> > What Samba version ?2:4.9.5+dfsg-5+deb10u1 only winbind installed.> > Why are you using such low ID numbers, is your domain a classicupgraded > one ?yes> > Rowland > > >
https://web.mit.edu/kerberos/krb5-devel/doc/admin/conf_files/krb5_conf.html#libdefaults Kerberos ticket_lifetime it default 1 day. What does the auth.log show? Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > basti via samba > Verzonden: vrijdag 10 juli 2020 12:29 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] wbinfo -u / getent passwd not working > > > > On 10.07.20 12:18, L.P.H. van Belle via samba wrote: > > Just thing i notised. > > > >> idmap config * : range = 1000-2000 > > This might give conflicts. > > Output of `cat /etc/adduser.conf |grep "[G-U]ID" ` > > These ranges should not overlap. > > I think that should not be the problem, i have multiple servers, with > the samba config that works. and only 1 or 2 local users. > > > > > After how may days/hours did it stop working? > > I would say 2 days? > > I do not understand why wbinfo -g work but wbinfo -u do not. > > > > > > Greetz, > > > > Louis > > > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens > >> basti via samba > >> Verzonden: vrijdag 10 juli 2020 12:10 > >> Aan: samba at lists.samba.org > >> Onderwerp: [Samba] wbinfo -u / getent passwd not working > >> > >> Hello, > >> i try to setup a linux laptop for homeoffice with login > for ad users. > >> The last few days it work like expected. > >> > >> today wbinfo -u return no user, getent passwd <username> also. > >> > >> wbinfo -a "SAMDOM\user" > >> Enter SAMDOM\user's password: > >> plaintext password authentication succeeded > >> Enter SAMDOM\user's password: > >> challenge/response password authentication succeeded > >> > >> wbinfo -D SAMDOM also works. > >> > >> laptop smb.conf: > >> > >> [global] > >> security = ADS > >> workgroup = SAMDOM > >> realm = SAMDOM.EXAMPLE.COM > >> > >> log file = /var/log/samba/%m.log > >> log level = 1 > >> > >> winbind refresh tickets = Yes > >> dedicated keytab file = /etc/krb5.keytab > >> kerberos method = secrets and keytab > >> winbind use default domain = yes > >> > >> load printers = no > >> printing = bsd > >> printcap name = /dev/null > >> disable spoolss = yes > >> > >> # Default ID mapping configuration for local > BUILTIN accounts > >> # and groups on a domain member. The default (*) domain: > >> # - must not overlap with any domain ID mapping > configuration! > >> # - must use an read-write-enabled back end, such as tdb. > >> idmap config * : backend = tdb > >> idmap config * : range = 1000-2000 > >> > >> # idmap config for the SAMDOM domain > >> # alf has uid 1006 > >> idmap config SAMDOM:backend = ad > >> idmap config SAMDOM:schema_mode = rfc2307 > >> idmap config SAMDOM:range = 2001-999999 > >> > >> template homedir = /home/%U > >> template shell = /bin/bash > >> > >> client use spnego = yes > >> client ntlmv2 auth = yes > >> encrypt passwords = yes > >> restrict anonymous = 2 > >> > >> # fix dfs error's in log ? > >> host msdfs = no > >> > >> # > https://wiki.samba.org/index.php/PAM_Offline_Authentication > >> winbind offline logon = yes > >> winbind cache time = 15768000 > >> > >> winbind enum users = yes > >> winbind enum groups = yes > >> > >> cat /etc/krb5.conf > >> [libdefaults] > >> default_realm = SAMDOM.EXAMPLE.COM > >> dns_lookup_realm = false > >> dns_lookup_kdc = true > >> > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > >> > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >